[security-dev] how to model services managed by a realm

Pedro Igor Silva psilva at redhat.com
Tue Jun 11 10:58:23 EDT 2013 

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: security-dev at lists.jboss.org
> Sent: Tuesday, June 11, 2013 11:14:05 AM
> Subject: Re: [security-dev] how to model services managed by a realm
> 
> 
> 
> On 6/11/2013 10:00 AM, Pedro Igor Silva wrote:
> 
> >>
> >> Then another problem with your suggestion is, for a given Realm, how do
> >> I find out the associated Tiers?  I'm not seeing any examples or code
> >> that allows me to do this.
> >>
> >
> > I think we don't support this kind of query. But you can always get all
> > users, groups or roles for a specific partition.
> >
> 
> Maybe create a default Agent within the realm and set an attribute which
> contains the related tiers?
> 

   This is possible, but I'm not sure how much this is a workaround :). I think is better wait for PLINK-130, then you can use your custom identity types to better satisfy your requirements.

   There are other alternatives that I can think of, but none of them looks better then using tiers for application-specific roles and groups and realms for users. Which does not fit your requirements, as you said.

> Would be nice to be able to associate a tier with a realm and be able to
> query to find out which tiers are associated with a realm.  Also, it
> would be nice to be able to define attributes for a tier or realm.  I
> guess the only way to do this would again be to create a default Agent
> that has the attributes you need to set.
> 

   The main idea behind tiers are to share role/groups between realms. And not tie them to a specific realm. From the documentation:

   "A Tier is a more restrictive type of partition than a realm, as it only allows groups and roles to
be defined (but not users). A Tier may be used to define a set of application-specific groups and
roles, which may then be assigned to groups within the same Tier, or to users and groups within
a separate Realm."

   I think I have discussed that with Shane some time ago about attributes on partitions. Need to recall that. But I agree that partition-scoped attributes can be handy.

> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the security-dev mailing list